FAR 52.204-21 vs DFARS 252.204-7012 What They Actually Require and How to Tell If You Are Compliant

FAR 52.204-21 Overview

This clause applies to all federal contracts where FCI may reside on contractor systems. It requires 15 basic safeguarding requirements focused on access control, identification, authentication, media protection, physical protection, and system maintenance. These map to CMMC Level 1.

DFARS 252.204-7012 Overview

This clause applies to DoD contracts involving covered defense information (CDI), which is a subset of CUI. It requires implementation of all 110 NIST SP 800-171 security requirements. It also mandates rapid reporting of cyber incidents affecting CDI.

Key Differences and Triggers

52.204-21 is baseline protection for FCI. 7012 layers on top when CDI is present. If your contract includes 7012, you must meet NIST 800-171 fully. Meeting only 52.204-21 does not satisfy 7012.

Most contractors conflate them because both reference safeguarding. The gap appears in assessment scope and reporting.

The Incident Reporting Requirement Most People Miss

DFARS 252.204-7012 paragraph (d) requires reporting cyber incidents within 72 hours to DoD via dibnet.dod.mil. The definition includes any compromise or potential compromise of CDI. Many contractors treat this as optional or delay reporting while investigating. Delay violates the clause and risks False Claims Act exposure.

To check compliance:

• Confirm whether your contract flows down 7012.
• Verify NIST 800-171 implementation via System Security Plan and POA&M if needed.
• Have a documented incident response plan with 72-hour DoD reporting process.
• Test the process with table-top exercises.

Do not assume basic FAR controls cover DoD work. The clauses are not interchangeable.